Iptables – unexpected RCODE REFUSED – eating up log files

I have a website which I host myself, and I use bind9 as my DNS server (host my own nameservers etc.).

I am having a problem with traffic bandwidth, and my syslog is full of the following type of issue:

error (unexpected RCODE REFUSED) resolving 'target-express.com/AAAA/IN': 193.95.142.60#53
error (unexpected RCODE REFUSED) resolving 'target-express.com/A/IN': 2001:7c8:3:2::5#53

In today's syslog, there are 144258 instances of this, all related to target-express.com.

My questions are:

is there anything I can do firewall-wise or bind config to stop this?
Why would my bind setup be trying to resolve target-express.com (it's not my domain, nothing to do with me).

I have checked my forwarders in named.conf, and none of them match the IPs showing in the logs (they are all basically different IPs, not just 193.95.142.60).

My iptables reads:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             loopback/8           reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere

UPDATE:

I've tried the following now in named.conf.options to block recursion.

allow-transfer {"none";};
allow-recursion {"none";};
recursion no;

Once I did this, I am now seeing the following in syslog:

Mar  4 00:02:21 mail named[29037]: client 127.0.0.1#42139: query (cache) '24.124.41.103.in-addr.arpa/PTR/IN' denied
Mar  4 00:02:22 mail named[29037]: client 127.0.0.1#58405: query (cache) '45.124.41.103.in-addr.arpa/PTR/IN' denied
Mar  4 00:02:24 mail named[29037]: client 127.0.0.1#48692: query (cache) '106.49.174.61.in-addr.arpa/PTR/IN' denied

To get rid of the above, I added:

    additional-from-cache no;

Best Answer

Could your DNS forwarders be forwarding requests back to the original server?

If so this might be something like the problem I had last year (see Windows DNS servers repeatedly requesting records in zone when they get SERVFAIL response). Fix is to not have forwarding loops. This only shows up as a significant problem with zones that return SERVFAIL because those responses won't be cached.

As to what initiated the original query (and it may only have been one) could be just about anything - DNS lookup for web access control or something like that.

To avoid amplification (perhaps a better description than loops) you need to make sure that the DNS server where you're seeing these messages isn't forwarding queries to a server which might forward requests back. Are the servers you have configured on your local DNS server under your control or are they external?

Best Answer

Related Solutions

Iptables – Without iptables, telnet smtp.gmail.com 465 fine. With, no go. However, ports outbound open…

Linux – iptables port forward forwarding

Related Topic